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PRELIMINARY AMENDMENT 

Sir: 

Please enter this Preliminary Amendment for the above-identified national phase 
application. 

AMENDMENT 

In the Title: 

Please cancel the English version of the title of the invention as printed in the front page of the PCT 
publication, and substitute therefor: 

- DEVICE AND METHOD FOR PROCESSING A SEQUENCE OF INFORMATION PACKETS -. 

In the Specification: 

Page 3, before line 36, insert the heading: 

- BRIEF DESCRIPTION OF THE DRAWINGS -- 

Page 4, between lines 1 1 and 12, insert the heading: 

- DESCRIPTION OF PREFERRED EMBODIMENTS -- 
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In the Abstract: 

Please cancel the Abstract as printed in the front page of the PCT publication, and insert therefor 
the following Abstract. 

- ABSTRACT 

The packets of the sequence are stowed away in a packets memory organized as a stack, in 
association with respective processing labels. The processing label associated with each packet extracted 
from the packets memory is examined so as to activate a processing module selected as a function of the 
label received. The activated module performs an elementary processing of the packet extracted. The 
elementary processing performed by at least one of the processing modules comprises associating the 
extracted packet with a label modified in accordance with a labels translation table, the processed packet 
subsequently being stowed away again in the packets memory in association with the modified label. — 

In The Claims: 

Please amend Claims 1-5 to read as follows. A set of amended claims, red-lined to show the 
amendments, is attached hereto. 

1 . (Amended) A device for processing a sequence of information packets, comprising: 
a packets memory organized as a stack, 

means for stowing away the packets of the sequence in association with respective 
processing labels, 

a plurality of processing modules,, 
at least one labels translation table, 
means for extracting packets from the packets memory, and 

supervisory means for receiving the processing label associated with each packet extracted 
from the packets memory and activating one of the processing modules selected as a function of 
the label received, the activated module being arranged to perform an elementary processing of the 
extracted packet, 

whereby the elementary processing performed by at least one of the processing modules 
comprises associating the extracted packet with a label modified in accordance with a labels translation 
table, the processed packet subsequently being stowed away again in the packets memory in association 
with the modified label. 
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2. (Amended) A device according to claim 1, wherein a first processing label is associated initially with 
each packet of the sequence, wherein the supervisory means are arranged to activate a filtering module 
forming part of the plurality of processing modules in response to the receipt of the first processing label, 
and wherein the elementary processing performed by the filtering module comprises analyzing a header 
of the packet extracted and associating the packet with a second processing label dependent on a result of 
the analysis. 

3. (Amended) A device according to claim 1, wherein the plurality of processing modules comprises an 
output module for transmitting the extracted packet to an output of the device, with a signature based on 
a secret shared with a concentrating router of a telecommunication network, authenticating that the 
packet has been subjected to the processing operations performed by the device. 

4. (Amended) A method of processing a sequence of information packets, comprising the steps of: 

stowing away the packets of the sequence in a packets memory organized as a stack, in 
association with respective processing labels, and 

examining the processing label associated with a packet extracted from the packets memory 
so as to activate a processing module selected as a function of the label received from among an 
assembly a plurality of processing modules, whereby the activated module performs an elementary 
processing of the packet extracted, 

wherein the elementary processing performed by at least one of the processing modules 
comprises associating the extracted packet with a label modified in accordance with a labels translation 
table, the processed packet subsequently being stowed away again in the packets memory in association 
with the modified label. 

5. (Amended) A method according to claim 4, wherein, after having been subjected to various 
elementary processing operations, each packet is delivered with a signature based on a secret shared with 
a concentrating router of a telecommunication network, authenticating that the packet has been subjected 
to said elementary processing operations. 
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REMARKS 



The present application is a national phase filing under 35 U.S.C. 371 of PCT/FR99/03099. 
PCT/FR99/03099 claims priority to FRNo. 98/15757 filed on December 14, 1998, as indicated on the 
PCT cover page of the international application, as filed in French, submitted herewith. However, the 
English translation of the PCT cover page, attached to the English translation of the international 
application submitted herewith, refers incorrectly to PCT/FR99/03097 which claims priority to FRNo. 
98/15756. Nonetheless, the English translation of the international application submitted herewith refers 
correctly to PCT/FR/03099. 

Applicant submits that the present amendments introduce no new matter. Claims 1-5 are pending 
in the application. The Examiner is invited to call the undersigned, if the Examiner believes that a 
telephone conversation could be helpful in expediting prosecution of the instant application. 



Respectfully submitted, 



Date: June 14, 2001 
Reg. No. 41,418 




Tel. No.: (617) 248-7240 
FaxNo.: (617) 248-7100 



Patrick R. H. Waller 

Agent for Applicant(s) 

Testa, Hurwitz, & Thibeault, LLP 

High Street Tower 

125 High Street 

Boston, Massachusetts 02110 
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CLAIM AMENDMENTS (RED-LINED VERSION") 

1 . (Amended) A [DJdevice for processing a sequence of information packets, [characterized in that it 
comprises] comprising: 

a packets memory [(35),] organized as a stack, [in which] 

means for stowing away the packets [(30)] of the sequence [are stowed away] in association 
with respective processing labels [(36)], [an assembly] 
a plurality of processing modules [(Ml - M5)] i 
at least one labels translation table, 

means for extracting packets from the packets memory , and 

supervisory means [(37)] for receiving the processing label associated with each packet 
extracted from the packets memory and activating one of the processing modules selected as a 
function of the label received, the activated module [undertaking] being arranged to perform an 
elementary processing of the extracted packet, [and in that] 

whereby the elementary processing [undertaken] performed by at least one of the processing 
modules [(M2, M3)] comprises [the] associating [of] the extracted packet with a label modified in 
accordance with a labels translation table [(T2, T3)], the processed packet subsequently being stowed 
away again in the packets memory [(35)] in association with the modified label. 

2. (Amended) A [D]device according to claim 1, [in which] wherein a first processing label is 
associated initially with each packet [(30)] of the sequence, [in which] wherein the supervisory means 
[(37)] are arranged to activate a filtering module [(Ml)] forming part of the [assembly] plurality of 
processing modules in response to the receipt of the first processing label, and [in which] wherein the 
elementary processing [undertaken] performed by the filtering module comprises [an analysis of] 
analyzing a header of the packet extracted and [the] associating [of] the packet with a second processing 
label dependent on [the] a result of the analysis. 

3. (Amended) A [DJdevice according to claim 1 [or 2, in which] , wherein the [assembly] plurality of 
processing modules comprises an output module [(M5) which transmits] for transmitting the extracted 
packet to an output of the device, with a signature based on a secret shared with a concentrating router 
[(12)] of a telecommunication network [(10)], authenticating that the packet has been subjected to the 
processing operations performed by the device [(24)]. 
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4. (Amended) A [M] method of processing a sequence of information packets, [characterized in that] 
comprising the steps of: 

stowing away the packets [(30)] of the sequence [are stowed away] in a packets memory 
[(35)] organized as a stack, in association with respective processing labels [(36)], and 

examining the processing label associated with [each] a packet extracted from the packets 
memory [is examined] so as to activate a processing module selected as a function of the label 
received from [among an assembly] a plurality of processing modules [(Ml - M5)], whereby the 
activated module [undertaking] performs an elementary processing of the packet extracted, [and in 
that] 

wherein the elementary processing [undertaken] performed by at least one of the processing 
modules [(M2, M3)] comprises [the] associating [of] the extracted packet with a label modified in 
accordance with a labels translation table [(T2, T3)], the processed packet subsequently being stowed 
away again in the packets memory in association with the modified label. 

5. (Amended) A [M]method according to claim 4, [in which] wherein , after having been subjected to 
various elementary processing operations, each packet is delivered with a signature based on a secret 
shared with a concentrating router [(12)] of a telecommunication network [(10)], authenticating that the 
packet has been subjected to said elementary processing operations. 
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EXPRESS MAIL MAILING LABEL 

DEVICE AND METHOD FOR PROCESSING A SEQUENCE OF 
INFORMATION PACKETS 

The present invention relates to packet based 
transmission networks. It applies in particular, but 
not exclusively, to networks operating according to the 
Internet protocol (IP) . 

The invention can be implemented at the level 
of the outside interfaces of routers of the network, so 
as to perform analyses and processing of the data 
streams travelling through these interfaces. 

Here, the expression "police" functions 
designates various processing or control operations 
performed at the level of such an interface on data 
streams which pass through it. By way of nonlimiting 
examples, mention may be made of the counting of the 
packets exchanged between a given source address and a 
given destination address, the allocating of priorities 
to certain packets, address translations, the selective 
destruction of certain packets, etc. 

These police functions may be included within a 
contractual framework between a subscriber and a 
manager of the network. Such may for example be the 
case with functions relating to flow control, to 
authorization for access to certain sites linked to the 
network, to the implementing of reservation protocols 
such as RSVP, etc. They may also be included within the 
framework of the internal organization of a public or 
private network, for example to control certain 
accesses . 

Current routers offer a set of configuration 
commands making it possible to apply such police 
functions. Thus, a filter relating to certain fields of 
the header of the packets is defined so as to identify 
the stream or streams concerned, the filter being 
associated with a particular function operated on the 
corresponding packets. These filters, or "access list", 
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exhibit certain inflexibilities. Thus, it is not 
possible to string two filters together, one specifying 
a sort on the packets selected by the first. These 
filters are constructed on a sequential model : the 
5 first filter which is suitable for a given packet is 
adopted with the exclusion of the following filters 
which might also be suitable. It is therefore 
impossible to apply several rules and associated 
processing operations to one and the same stream (for 

10 example to count all the packets transmitted according 
to the TCP protocol on a port x and to count all the 
TCP streams heading for a given server, including those 
traveling toward the port x) . 

To sidestep certain of these limitations, 

15 commands performing several joint actions have been 
defined. These solutions afford only relative 
flexibility and appreciably complicate the language for 
configuring the routers. A homogeneous framework for 
managing the future extensions of the police functions 

20 to be undertaken is also lacking. 

An aim of the present invention is to propose a 
mode of processing sequences of information packets 
which offers high flexibility of configuration without 
significantly increasing the complexity of the 

25 configuration interface. 

The invention thus proposes a device for 
processing a sequence of information packets, 
comprising a packets memory, organized as a stack, in 
which the packets of the sequence are stowed away in 

30 association with respective processing labels, an 
assembly of processing modules, and supervisory means 
receiving the processing label associated with each 
packet extracted from the packets memory and activating 
one of the processing modules selected as a function of 

35 the label received, the activated module undertaking an 
elementary processing of the extracted packet. The 
elementary processing undertaken by at least one of the 
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processing modules comprises the associating of the 
extracted packet with a label modified in accordance 
with a labels translation table, the processed packet 
subsequently being stowed away again in the packets 
memory in association with the modified label 

The device makes it possible to string together 
police functions according to an arbitrary graph of 
elementary processing operations acting on data streams 
identified by the processing labels. This affords a 
flexible framework for managing the configuration of 
the interface and any protocol extensions. 

The performance of the device is independent of 
the number of strings of elementary processing 
operations which may be performed on the streams 
traveling through the interface, and proportional to 
the more complex of these strings. On the other hand, 
the technique used consumes more memory than a 
conventional sequential implementation. 

Another aspect of the present invention 
concerns a method of processing a sequence of 
information packets, in which the packets of the 
sequence are stowed away in a packets memory organized 
as a stack, in association with respective processing 
labels, the processing label associated with each 
packet extracted from the packets memory is examined so 
as to activate a processing module selected as a 
function of the label received from among an assembly 
of processing modules, the activated module undertaking 
an elementary processing of the packet extracted. The 
elementary processing undertaken by at least one of the 
processing modules comprises the associating of the 
extracted packet with a label modified in accordance 
with a labels translation table, the processed packet 
subsequently being stowed away again in the packets 
memory in association with the modified label. 

Other features and advantages of the present 
invention will become apparent in the following 
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description of nonlimiting exemplary embodiments, with 
reference to the appended drawings, in which: 

- figure 1 is a diagram of a network where the 
invention may be implemented; 

- figure 2 is a schematic diagram of an access 
router of a private installation of this network; 

- figure 3 is a schematic diagram of a stream 
processing device forming part of an interface of the 
router of figure 2; and 

- figure 4 is a graph of elementary processing 
operations undertaken by the device of figure 3. 

Figure 1 shows a wide area shared network (WAN) 
10 comprising a certain number of interconnected 
routers and switches 11, 12. The case where the shared 
network 10 operates according to the IP protocol is 
considered here. A certain number of the routers are 
concentrating routers 12 to which private installations 
13 are linked. 

A private subscriber installation 13 is 
typically linked to the shared network 10 by means of 
an access router 15, one of whose interfaces 16 is 
linked to a line 17 for transmission from and to the 
concentrating router 12. The access router 15 can be 
linked to other routers of the private installation 13 
or to servers or terminals 18 of this installation, by 
means of other interfaces, which are not represented in 
figure 1. 

Figure 2 shows an exemplary architecture of the 
access router 15. The outside interface 16, and also 
the interfaces 20, 21 with the remainder of the private 
installation 13, are linked to the core of the router 
consisting of a packet forwarding engine 22. The 
forwarding engine 22 forwards the packets from one 
interface to another on the basis of the address fields 
and port fields contained in the headers of the packets 
in accordance with the IP protocol and with any 



WO 00/36779 



PCT/FR99/03099 



extensions thereof {TCP, UDP, etc.), by referring to 
routing tables. 

Certain of the interfaces of the access router 
15 are provided, in just one or in both directions of 
5 transmission, with processing devices, or stream 
processors, 24, 25 undertaking police functions. In the 
illustrative example of figure 2, the device 24 is 
fitted to the outside interface 16 in the outgoing 
direction, and the device 25 is fitted to another 
10 interface 20 in the incoming direction. 

The access router is supervised by a management 
unit 26 which can consist of a microcomputer or a work 
station which executes routing software serving in 
particular to configure the routing table of the 
15 forwarding engine 22 and the stream processors 24, 25 
and to exchange control or protocol information with 
them. These commands and exchanges are effected by way 
of an appropriate software programming interface (API) . 

Most of the existing packet routing and 
20 forwarding software is readily available in the Unix 
environment, but its performance is customarily limited 
on account of the frequent interruptions of the 
operating system. It is much faster to use a real time 
operating system such as VxWorks, but this complicates 
25 the implementation of the routing software. 

The role of the stream processors 24, 25 is to 
assist the non-real time operating system (such as 
Unix) , on the basis of which the management unit 2 6 
functions, in the complex tasks for manipulating the 
30 streams which require real time performance 
(forwarding, filtering, enciphering, etc.). These 
processors implement a certain number of tools for 
manipulating the streams which may be linked 
dynamically according to any combination so as to 
35 perform the task required. This configuration can be 
achieved through the Unix operating system by calling 
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the API functions, thereby greatly facilitating the 
setting up of new functionalities by the programmer. 

As illustrated diagrammatically by figure 1, 
one of the tasks performed by the stream processor 24 
5 of the outside interface 16 of the access router 15 
consists in transmitting each packet to the 
concentrating router 12 while appending a digital 
signature (block 40) thereto. This signature attests 
that the packets in question have been subjected to the 

10 other stream control operations (block 39) performed by 
the processor 24. 

The corresponding interface 2 8 of the 
concentrating router 12 comprises a module for 
analyzing the packets received on the line 17 so as to 

15 make sure that the signature is present. 

This signature technique advantageously makes 
it possible to decentralize the stream control 
operations necessary for the contractual relations 
between the manager of the concentrating router 12, 

20 which provides the service of attachment to the shared 
network 10, and the subscribers whose installations 13 
are linked to this concentrating router 12. In the 
conventional embodiments, these stream control 
operations are performed at the level of the 

25 concentrating router. This results in considerable 
complexity of the concentrating router when it is 
attached to a fairly large number of private 
installations, and a lack of flexibility for the 
subscribers when modifications are required. 

30 By performing these stream control operations 

at the level of the access routers 15, great 
flexibility is afforded in this regard. The signing of 
the packets then guarantees to the service provider 
that the line 17 does not send him valid packets which 

35 depart from the contractual framework with the 
subscriber. If such a packet were to appear, the 
interface 28 of the concentrating router 12 would 
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simply eliminate it after having noted the absence of 
the appropriate signature. 

Various conventional processes may be used to 
construct and analyze the signature of the packets, on 
the basis of a secret shared between the routers 12 and 
15. The signature can in particular have the form of a 
code word added to the content of the packet, and 
calculated on the basis of all or part of this content 
and of a secret key, the calculation being performed 
with the aid of a function which is extremely difficult 
to invert in order to recover the secret key. It is 
thus possible to use a technique of hashing the content 
of the packet, or of just a part of this content, for 
example an MD5 hashing (see R. Rivest, RFC 1231, "The 
MD5 Message Digest Algorithm") . 

It is also possible to use an enciphering 
process to form the signature of the packets. The 
content of the packet is then enciphered with the aid 
of a private key, the interface 28 of the concentrating 
router undertaking the corresponding deciphering with 
the aid of a public or private key. The unenciphered 
packets, or those enciphered by means of a wrong key 
are then destroyed at the level of the interface 28. 

As an option, provision may be made for the 
interface 28 of the concentrating router to also sign 
the packets which it transmits on the line 17, and for 
the interface 16 of the access router to verify this 
signature so as to make sure that the packets received 
are valid. 

Figure 3 shows the organization of a stream 
processor 24 or 25 of an interface of the access router 
15. 

The stream processor receives a sequence of 
incoming packets 30 each comprising a header 31 in 
accordance with the IP protocol, and delivers a 
sequence of outgoing packets 32 having a header 33 
after having performed certain elementary processing 
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operations whose nature depends on the data streams 
concerned . 

The incoming packets 30 are stowed away in a 
packets memory 35 organized as a first in-first out 
5 (FIFO) stack. Each packet is fed to the memory 35 with 
a processing label 36. The processing label initially 
has a specified value (0 in the example represented) 
for the incoming packets 30. 

The stream processor is supervised by a unit 37 

10 which cooperates with a table 38 making it possible to 
associate a particular processing module with each 
value of the processing label. In the simplified 
example represented in figure 3, the stream processor 
comprises an assembly of five processing modules Ml - 

15 M5 effecting elementary processing operations of 
different kind. 

After the execution of an elementary processing 
operation, the supervisory unit 37 consults the packets 
memory 35. If the latter is not empty, a packet is 

20 extracted therefrom according to the FIFO organization. 
The supervisory unit 37 consults the table 38 to 
determine which processing module corresponds to the 
label of this packet. The unit 37 then activates the 
module in question so that it performs the 

25 corresponding elementary processing operation. In 
certain cases, this elementary processing operation may 
entail a modification of the content of the packet, in 
particular its header. 

It will be understood that the "extraction" of 

30 the packet, to which reference is made, is an 
extraction in the logical sense from the FIFO memory. 
The packet is not necessarily removed from the memory. 
The addresses of the packets in the memory 35 can be 
managed in a conventional manner by means of pointers 

35 so as to comply with the FIFO organization. The 
activated processing module can be furnished simply 
with the address of the current packet so as to perform 
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the required reads, analyses, modifications or 
deletions as appropriate. 

The first processing module Ml, associated with 
the initial label 0, is a filtering module which 
5 analyzes the address field and/or protocol definition 
field and/or port field of the IP header of the 
packets. With the help of an association table Tl, the 
filtering module Ml delivers a second processing label 
which identifies a string of elementary processing 

10 operations which will subsequently have to be performed 
on the packet. After having determined the second 
processing label for the packet extracted from the 
memory 35, the filtering module Ml stows away the 
packet in the memory 35 again, with the second 

15 processing label. The next elementary processing 
operation will then be executed when the packet is 
again extracted from the memory. 

The module M2 is a module for counting the 
packets relating to certain streams. In the case of the 

20 association table 38 represented in figure 3, this 
module M2 is called for the processing labels 2 and 4. 
When it processes a packet, the module M2 increments a 
counter with the number of bytes of the packet, or else 
with the value 1 in the case of a packets counter. The 

25 counter can be made secure, in particular if it serves 
for the billing of the subscriber by the manager of the 
network 10. In the case of a secure counter, requests 
are regularly made to the access provider to obtain 
transmission credits, the relevant packets being 

30 destroyed if the credit is used up. 

The module M3 of figure 3 is a priorities 
management module. In the case of the association table 
38 represented in figure 3, this module M3 is called 
for the processing label 3. The module M3 operates on 

35 the TOS ("Type of Service") field of the IP header of 
the packets. The TOS is used in the network to manage 
forwarding priorities so as to provide a certain 
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quality of service on certain links. The TOS field can 
be changed according to prerecorded tables. These 
tables can be defined under the control of the access 
provider so as to prevent packets being inappropriately 
5 transmitted with a high priority, which might disturb 
the network. 

The elementary processing operation performed 
last on a packet of the memory 35 is either its 
destruction (module M4 activated by the label 8), or 

10 its resubmission to the output of the stream processor 
(module M5 activated by the label 5 or 9) . The module 
M4 can be used to destroy packets having a certain 
destination and/or a certain origin. 

The modules M2 and M3, which do not terminate 

15 the processing operations to be undertaken in respect 
of a packet (except in the case of destruction) , each 
operate with a label translation table T2 , T3 . This 
translation table designates, for the processing label 
extracted from the memory 35 with the current packet, 

20 another processing label designating the next 
elementary processing operation to be undertaken. The 
elementary processing operation undertaken by this 
module M2 or M3 terminates with the associating of the 
packet with this other processing label and the 

25 reinjecting of the packet thus processed into the 
memory 35. 

In this way, highly varied combinations of 
processing operations can be performed on the various 
data streams passing through the processor. 

30 Figure 4 shows a simplified example 

corresponding to the tables 38, Tl - T3 represented in 
figure 3. The incoming packet 30, associated with the 
first label 0, is firstly subjected to the filtering 
effected by the module Ml. 

35 In the particular case considered, the stream 

processor 24 counts the packets transmitted from a 
source address AS1 to a destination address AD1 and a 
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port PI, and modifies the TOS field of these packets 
before delivering them on the line 17, this 
corresponding to the upper branch of the graph of 
figure 4. Moreover, the stream processor 24 counts the 
5 packets emanating from a source address AS 2 heading for 
a port P2 before destroying them, this corresponding to 
the lower branch of figure 4 . The other packets are 
simply delivered to the line 17. The default value (9) 
of the processing label returned by the module Ml 

10 therefore simply designates the output module M5 . If 
the module Ml detects in the packet extracted from the 
memory 35 the combination AS1, AD1, PI in the relevant 
address and port fields, it returns the packet with the 
processing label 2. If the values AS2, P2 are detected 

15 in the address and port fields, it is the label 4 which 
is returned with the packet. 

These labels 2 and 4 both correspond to the 
counting module M2 . The label will also designate for 
this module the memory address of the counter which has 

20 to be incremented. The table T2 with which the module 
M2 operates will make it possible at the end of 
processing to perform the return to the next module to 
be activated (M3 designated by the label 3 for the 
packets whose TOS has to be changed, M4 designated by 

25 the label 8 for the packets to be destroyed) . 

The module M3 receives packets with the 
processing label 3, and returns them with the label 9 
after having made the required modification of the TOS 
field. 

30 From this simplified example it can be seen 

that the stream processor makes it possible, through 
the identification of a stream by the filtering module 
Ml, to perform various combinations of elementary 
processing operations in a relatively simple and fast 

35 manner. 

A main advantage of this way of proceeding is 
the flexibility of the operations for configuring the 
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stream processor. The tables 38, Tl - T3 which define 
any graph of elementary processing operations, such as 
the one represented in figure 4, can be constructed 
relatively simply and with a small real time constraint 
by means of the management unit 36 through the API. The 
same holds in respect of the information enabling the 
modules Ml - M5 to perform their elementary processing 
operations (description of the counts to be performed 
by the module M2 , way of changing the TOS fields by the 
module M3, etc . ) . 

In practice, the stream processor may comprise 
various processing modules other than those represented 
by way of example in figures 3 and 4, according to the 
requirements of each particular installation (for 
example, module for managing the output queues, address 
translation module, etc.). 

The function of signing the packets 
transmitted, which was described earlier, can form part 
of the elementary processing undertaken by the output 
module M5 . In a typical embodiment of the access 
router, the stream processor 24 will be included in an 
application specific integrated circuit (ASIC) 
organized around a microcontroller core. This 
embodiment allows there to be no physical access 
between the stream control modules 39 (at least those 
which pertain to the relations between the subscriber 
and the manager of the network 10) and the module M5 
which is responsible for signing the packets, 
corresponding to the block 40 of figure 1. This 
improves the security of the link from the viewpoint of 
the manager of the network. 
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CLAIMS 



1 . Device for processing a sequence of information 

packets, characterized in that it comprises a packets 
5 memory (35) , organized as a stack, in which the packets 
(30) of the sequence are stowed away in association 
with respective processing labels (36) , an assembly of 
processing modules (Ml - M5) , and supervisory means 
(37) receiving the processing label associated with 

10 each packet extracted from the packets memory and 
activating one of the processing modules selected as a 
function of the label received, the activated module 
undertaking an elementary processing of the extracted 
packet, and in that the elementary processing 

15 undertaken by at least one of the processing modules 
(M2, M3) comprises the associating of the extracted 
packet with a label modified in accordance with a 
labels translation table (T2, T3) , the processed packet 
subsequently being stowed away again in the packets 

20 memory (35) in association with the modified label. 

2. Device according to claim 1, in which a first 
processing label is associated initially with each 
packet (30) of the sequence, in which the supervisory 
means (37) activate a filtering module (Ml) forming 

25 part of the assembly of processing modules in response 
to the receipt of the first processing label, and in 
which the elementary processing undertaken by the 
filtering module comprises an analysis of a header of 
the packet extracted and the associating of the packet 

30 with a second processing label dependent on the result 
of the analysis. 

3. Device according to claim 1 or 2, in which the 
assembly of processing modules comprises an output 
module (M5) which transmits the extracted packet to an 

35 output of the device, with a signature based on a 
secret shared with a concentrating router (12) of a 
telecommunication network (10) , authenticating that the 
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packet has been subjected to the processing operations 
performed by the device (24) . 

4. Method of processing a sequence of information 
packets, characterized in that the packets (30) of the 
sequence are stowed away in a packets memory (35) 
organized as a stack, in association with respective 
processing labels (36) , the processing label associated 
with each packet extracted from the packets memory is 
examined so as to activate a processing module selected 
as a function of the label received from among an 
assembly of processing modules (Ml - M5) , the activated 
module undertaking an elementary processing of the 
packet extracted, and in that the elementary processing 
undertaken by at least one of the processing modules 
(M2, M3) comprises the associating of the extracted 
packet w ith a label modified in accordance with a 
labels translation table (T2, T3) , the processed packet 
subsequently being stowed away again in the packets 
memory in association with the modified label. 

5. Method according to claim 4, in which, after 
having been subjected to various elementary processing 
operations, each packet is delivered with a signature 
based on a secret shared with a concentrating router 

of a telecommunication network (10), 
authenticating that the packet has been subjected to 
said elementary processing operations. 
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